Whereas information systems auditing is confined to the information being processed. There are several types of audits that are regularly conducted by many organizations across the world in the areas of:
- Software Audits (Any organization can go for an audit when suppliers are always feeding into the supply chain.)
- Infrastructure and Software Application Audits (Audits pertaining to purely IT Infrastructure layer such as the Operating systems [Microsoft/Linux/IBM]).
- Network Audits (Audits on Router switches, firewalls, appliances, hardware, wireless networks, authentication and testing, VLAN testing, etc.)
- Standard applications audits (ERP-Oracle, SAP).
- Mobile application testing, mobile application audits or testing services - there had been a great increase with regards to applications on mobile and there are a lot of risks and threats to the consumers and huge potential loss to organizations. Hence the audits on mobile testing services are becoming a high priority for different organizations like banking, government and consumers; wherein the mobile code or the applications can be exposed and can be vulnerable to intruders. It is now increasingly becoming very important and crucial for such applications to be tested and audited very thoroughly. Certain standards are being developed in order to facilitate such kind of ISO standards (ISO/IEC/IEEE 29119-1:2013 – Software and Systems Engineering – Software Testing – Part 1: Concepts and definitions).
- Auditing websites – Nowadays, loads of websites are open with hundreds of threats and vulnerabilities which the website owners are not even aware of. Auditing at periodic intervals of such websites is very important. This may become an entry point or the gateway for the entire infrastructure of the organization.
- Auditing call center and VoIP type of applications – Today, many call centers are having common industry clients as customer for example, banks can be customers to call center and the agents have access to all competitor information since they can access both banks information. It could become a potentially huge risk for the bankers because information can be shared with each other. In such cases not only should the technology be tested but also aspects such as NDA sign ups with the call center personnel, information access levels and blocking of information, all these aspects can be tested/audited and a detailed report can be provided that will contain the following:
- Provide all VOIP, auditing and assessment services at an independent level
- Deliver a complete report at different levels for different stakeholders
- Provide an executive summary report highlighting the decision-making points to the top management for further actions
- Provide a detailed report for the technical staff are provided in order to present technical details and process level support.
- Enables process owners of the business owners to understand these gaps and processes
- Enables bridging the gaps for the operations personnel to enhance the SOP statements
Services through Auditing beyond Financials
To meet the demands of the system audits and assessments brought about by the ever increasing emphasis on certification schemes and vendor/supplier audits, Nbiz Infosol offers a wide range of quality management products and consultancy for information security implementations, which range from security policy development to intrusion detection support. While providing organizations with the ability to align their business goals with information system goals, Nbiz enables good governance and assists organizations to review their framework, while continuously assessing and managing their security levels.
Traditionally, auditing & assessment only involved financial auditing and accounting practice as established and applied in almost all of the organizations around the world. Publicly listed companies, stock exchange, government organizations, public sector organizations are specially audited and assessed purely from a financial perspective. The financial auditors would provide a report at the end of the year and will submit it to the respective auditing authorities. The laws and regulations are set by the Financial Authority in the company or is based on the country’s regulatory or financial bodies at the government level, international regulations and so on and so forth.
With the increased requirements of automation and information being processed by variety of systems and information flow, information is no longer confined solely to the organizations anymore. The information travels at the speed of light within the organization, even more so outside the organization boundaries; to the suppliers, partners and so on.
Note: This can be classified as;
- B2B communication (Business-to-business communication)
- C2C communication (Consumer-to-consumer communication)
- B2C communication (Business-to-consumer communication)
- G2G communication (Government-to-government communication)
- G2C communication (Government-to-consumer communication)
Hence, auditing and assessing such Information Systems is not appropriately practiced in many organizations relative to financial auditing. The top and executive management of certain matured organizations need to give more attention to this and understand this critical point.
Although it is very evident that Information Systems is the heart of all the processing of the financial data, financial information or the operational information is considered as the core of the business processes.
Information and email communication enables the information flow across various business units within and outside the organizations boundaries. But at the same time, security cannot be neglected or overlooked. Many of the companies have suffered tremendously because of the risk being overlooked when there was no information systems auditing being adopted.
RUSPAR - Read, Understand, Schedule, Perform, Analyse & Report
At Nbiz, we proudly deliver Auditing and Assessment Services via an effective and efficient 6 Phases Methodology called “RUSPAR”. Auditing and Assessment although interchangeably used, these two terminologies are quite different. However for the sake of simplicity of presenting our services, we are expressing auditing and assessment interchangeably.
Phase I - READ
Reading the presented documents is the most common initial task in the whole process of Auditing and Assessment. The documents can be presented either to us or the Nbiz Auditors can also look at various channels of acquiring information such as websites, on the publicly available documents for the initial reading.
Typical documents that are requested are:
- Quality Documents (If the company is already certified Nbiz Auditors looks for the entire process maps, procedures, checklists, templates etc.,)
- Internal Audit reports
- Company’s Strategy, Mission Vision and other plans
- External Audit reports etc.
Phase II - UNDERSTAND
In this 2nd phase, the Nbiz Auditors completely understands the scope and organization. This phase is crucial for the auditors as the auditors would completely understand and form an idea or opinion about context of the organization very clearly. This is the base for the entire auditing analysis sites without which the further phases will not be successful. Many other auditing and assessment organizations do not allocate proper time for these, and when they lack proper understanding it fails and it is indirectly affecting the execution stage and hence the outcome of the engagement may not be successful. However, unless the auditors are very conscious about the engagement and particularly aligns it within the client’s scope, they are due diligent auditors.
Phase III - SCHEDULE
In this 3rd phase, it is where the various interviews and scheduling is done. The schedule along with the the planning is already assumed to be sent are already prepared and confirmed from the client side as well. Normally we create an initial planning schedule, and it must be communicated prior of 2 to 3 weeks before the auditing and assessment engagement with the client. The typical information that would be required for this phase are:
- Date and time of the interview
- Names of the interviewees
- Designation or the role of the concerned the person required
- The topic on the agenda at a high-level that may be discussed with the interviewee
- And any other relevant details
We also ensure that other logistics and travel considerations are already addressed before we finalize the schedule.
Phase IV - PERFORM
In this 4th phase, Nbiz auditors are actually conducting the audit and follow the schedule as per the above phases. Depending on the scope of work to be audited, the relevant questionnaire on discussion points may differ. Typically the following activities are done in this phase:
- A site walk-through or a short visit is done at the first step so as to get the understanding of the whole organization.
- Interviews with the relevant holders or the Auditee’s
- Discussions with senior and other management
- A reasonable checklist document for following up the audit (Note: it doesn’t mean Nbiz auditors are “checklist auditors”.)
- Observations, etc.,
Sometimes there may be more than one auditors performing these tasks and at the end of the day of and at the end of the assessment period, the auditors will also collectively have a discussion.
Phase V - ANALYSE
Once the perform phase is completed as above in the analyses methodology, the auditors task is to analyse all the information that is collected from the above phase. The different discussions that has been covered, the interviews that has been completed, the various other documents and evidences collected during the above session, questionnaires training, all these are forming the basis for the analyse/analysis phase. Typical activities that are performed under this phase are:
- Analyze the roles and responsibilities of the various stakeholders mentioned in other policies and procedures documents
- Analyze the process efficiency and effectiveness
- Analyze the measurement methods different KPI’s
- Analyze the other aspects that are required as per the audit Scope or the scope of work.
Phase VI - REPORT & PRESENTATION
After the analyze phase is completed the report and presentation phase starts. Nbiz auditors finalizes the reporting structure as per the agreed format of the interviewees of oddities and then formulate a first draft of the oddities. Typically the report format is already discussed during the engagement or if it is a standard format the required standard reports are provided.
During this phase usually the following activities are performed:
- The report preparation for the executive and senior management.
- The report preparation for the technical and audience as per the scope of work or audits scope.
- Presentation may be contacted depending on the requirement of the senior management highlighting the summarize reports.
- Presentation may be conducted for the technical or for the audience as per the scope of work details, evidences and observations that has been selected and performed during the different phases.
- The formal closure of the audits and assessment engagement.
Also a detailed report must be sent after 2 to 3 weeks upon the completion of the audits which is also agreed during the engagement. The detailed report delivery period is also agreed during the engagement or at the proposal stage.
What NBIZ proudly offers
NBIZ combines extensive knowledge, experience and expertise with regards to standards and frameworks to provide fully customizable services for every organization. NBIZ will sit down with you and understand your requirements and provide you the proper guidance to get you in the right path for your organization. We can help you achieve certifications if required or simply audit and assess the services required in a manner acceptable to your organization with realistic goals and justifiable budget. We pride our company in providing the right solutions for the right requirements. NBIZ helps organizations understand their needs and not just provide clients with their wants. We position ourselves not just as a provider but more importantly as partner.
We can provide you with the manpower you need. NBIZ provides hundreds of training courses that will allow your organization develop your current employee roster. NBIZ may also help you find the right candidate through our Resources Augmentation services.
We have a huge pool of consultants, auditors and industry practitioners with a multitude of specializations. We have the right mix of knowledge and experience to meet your every need.